On Wed, Aug 06, 2025 at 12:39:34PM +0200, Sebastian Mitterle wrote:
On Tue, Aug 5, 2025 at 1:54 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
On Mon, Aug 04, 2025 at 06:31:14PM +0200, Sebastian Mitterle via Devel wrote:
Older libvirt versions still only work if 'encryption_key' is enabled in the server and client certificates. Add a note.
While at it, also add a note that after setting the certificates up, the TLS ports need to be restarted because I haven't found a mention of it elsewhere.
Do this bit in a separate patch, since it is logically independant of the other change.
You're right, I was lazy.
Signed-off-by: Sebastian Mitterle <smitterl@redhat.com> --- docs/kbase/tlscerts.rst | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/docs/kbase/tlscerts.rst b/docs/kbase/tlscerts.rst index 215d454998..a1ea4d5f21 100644 --- a/docs/kbase/tlscerts.rst +++ b/docs/kbase/tlscerts.rst @@ -213,6 +213,10 @@ clients to reach the server, both with and without domain name qualifiers. If clients are likely to connect to the server by IP address, then one or more 'ip_address' fields should also be added.
+Important: If you're running a libvirt version before 11.6.0 you need to also add +``encryption_key`` to the template. Previous versions required this.
Can we expand this
Important: versions of libvirt before 11.6.0 also required the ``encryption_key`` flag in the template. This is no longer mandated since it is not applicable for use with many modern cryptographic algorithms, but it is harmless if present as it will be ignored. If compatibility with both old and new libvirt versions is required, then this extra flag must be added when creating the certificate.
and likewise below
I wonder, with this expanded note, would it make sense to remove this from the "Issuing server/client certificates" sections and instead move it up to the previous section "Background to TLS certificates"?
Yes, that would avoid the duplication. Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|